@chenpu17/cc-gw 0.2.4 → 0.3.0

package/src/server/dist/index.js

@@ -2,8 +2,8 @@
 import Fastify from "fastify";
 import fastifyCors from "@fastify/cors";
 import fastifyStatic from "@fastify/static";
-import fs3 from "fs";
-import path3 from "path";
+import fs4 from "fs";
+import path4 from "path";
 import process2 from "process";
 import { fileURLToPath } from "url";
 
@@ -20,7 +20,8 @@ var LOG_LEVELS = /* @__PURE__ */ new Set([
   "debug",
   "trace"
 ]);
-var HOME_DIR = path.join(os.homedir(), ".cc-gw");
+var HOME_OVERRIDE = process.env.CC_GW_HOME;
+var HOME_DIR = path.resolve(HOME_OVERRIDE ?? path.join(os.homedir(), ".cc-gw"));
 var CONFIG_PATH = path.join(HOME_DIR, "config.json");
 var TypedEmitter = class extends EventEmitter {
   on(event, listener) {
@@ -34,7 +35,54 @@ var TypedEmitter = class extends EventEmitter {
   }
 };
 var emitter = new TypedEmitter();
+var KNOWN_ENDPOINTS = ["anthropic", "openai"];
 var cachedConfig = null;
+function sanitizeDefaults(input) {
+  const defaults = {
+    completion: null,
+    reasoning: null,
+    background: null,
+    longContextThreshold: 6e4
+  };
+  if (input) {
+    if (typeof input.completion === "string" || input.completion === null) {
+      defaults.completion = input.completion ?? null;
+    }
+    if (typeof input.reasoning === "string" || input.reasoning === null) {
+      defaults.reasoning = input.reasoning ?? null;
+    }
+    if (typeof input.background === "string" || input.background === null) {
+      defaults.background = input.background ?? null;
+    }
+    if (typeof input.longContextThreshold === "number" && Number.isFinite(input.longContextThreshold)) {
+      defaults.longContextThreshold = input.longContextThreshold;
+    }
+  }
+  return defaults;
+}
+function sanitizeModelRoutes(input) {
+  if (!input)
+    return {};
+  const sanitized = {};
+  for (const [key, value] of Object.entries(input)) {
+    if (typeof value !== "string")
+      continue;
+    const trimmedKey = key.trim();
+    const trimmedValue = value.trim();
+    if (!trimmedKey || !trimmedValue)
+      continue;
+    sanitized[trimmedKey] = trimmedValue;
+  }
+  return sanitized;
+}
+function resolveEndpointRouting(source, fallback) {
+  const defaultsRaw = typeof source === "object" && source !== null ? source.defaults : void 0;
+  const routesRaw = typeof source === "object" && source !== null ? source.modelRoutes : void 0;
+  return {
+    defaults: sanitizeDefaults(defaultsRaw ?? fallback.defaults),
+    modelRoutes: sanitizeModelRoutes(routesRaw ?? fallback.modelRoutes)
+  };
+}
 function parseConfig(raw) {
   const data = JSON.parse(raw);
   if (typeof data.port !== "number") {
@@ -43,43 +91,43 @@ function parseConfig(raw) {
   if (!Array.isArray(data.providers)) {
     data.providers = [];
   }
-  if (!data.defaults) {
-    data.defaults = {
-      completion: null,
-      reasoning: null,
-      background: null,
-      longContextThreshold: 6e4
-    };
-  } else {
-    data.defaults.longContextThreshold ??= 6e4;
-  }
+  const legacyDefaults = sanitizeDefaults(data.defaults);
   if (typeof data.logRetentionDays !== "number") {
     data.logRetentionDays = 30;
   }
   if (typeof data.storePayloads !== "boolean") {
     data.storePayloads = true;
   }
-  if (!data.modelRoutes || typeof data.modelRoutes !== "object") {
-    data.modelRoutes = {};
-  } else {
-    const sanitized = {};
-    for (const [key, value] of Object.entries(data.modelRoutes)) {
-      if (typeof value !== "string")
-        continue;
-      const trimmedKey = key.trim();
-      const trimmedValue = value.trim();
-      if (!trimmedKey || !trimmedValue)
-        continue;
-      sanitized[trimmedKey] = trimmedValue;
-    }
-    data.modelRoutes = sanitized;
-  }
+  const legacyRoutes = sanitizeModelRoutes(data.modelRoutes);
   if (typeof data.logLevel !== "string" || !LOG_LEVELS.has(data.logLevel)) {
     data.logLevel = "info";
   }
   if (typeof data.requestLogging !== "boolean") {
     data.requestLogging = true;
   }
+  if (typeof data.responseLogging !== "boolean") {
+    data.responseLogging = data.requestLogging !== false;
+  }
+  const endpointRouting = {};
+  const sourceRouting = data.endpointRouting && typeof data.endpointRouting === "object" ? data.endpointRouting : {};
+  const fallbackAnthropic = {
+    defaults: legacyDefaults,
+    modelRoutes: legacyRoutes
+  };
+  const fallbackOpenAI = {
+    defaults: sanitizeDefaults(void 0),
+    modelRoutes: {}
+  };
+  for (const endpoint of KNOWN_ENDPOINTS) {
+    const fallback = endpoint === "anthropic" ? fallbackAnthropic : fallbackOpenAI;
+    endpointRouting[endpoint] = resolveEndpointRouting(
+      sourceRouting[endpoint],
+      fallback
+    );
+  }
+  data.endpointRouting = endpointRouting;
+  data.defaults = { ...endpointRouting.anthropic.defaults };
+  data.modelRoutes = { ...endpointRouting.anthropic.modelRoutes };
   return data;
 }
 function loadConfig() {
@@ -97,8 +145,9 @@ function getConfig() {
 }
 function updateConfig(next) {
   fs.mkdirSync(path.dirname(CONFIG_PATH), { recursive: true });
-  fs.writeFileSync(CONFIG_PATH, JSON.stringify(next, null, 2), "utf-8");
-  cachedConfig = next;
+  const normalized = parseConfig(JSON.stringify(next));
+  fs.writeFileSync(CONFIG_PATH, JSON.stringify(normalized, null, 2), "utf-8");
+  cachedConfig = normalized;
   emitter.emitTyped("change", cachedConfig);
 }
 function onConfigChange(listener) {
@@ -301,19 +350,23 @@ function resolveByIdentifier(identifier, providers) {
 }
 function resolveRoute(ctx) {
   const config = getConfig();
+  const endpointConfig = config.endpointRouting?.[ctx.endpoint] ?? config.endpointRouting?.anthropic;
+  if (!endpointConfig) {
+    throw new Error(`\u672A\u627E\u5230\u7AEF\u70B9 ${ctx.endpoint} \u7684\u8DEF\u7531\u914D\u7F6E`);
+  }
   const providers = config.providers;
   if (!providers.length) {
     throw new Error("\u672A\u914D\u7F6E\u4EFB\u4F55\u6A21\u578B\u63D0\u4F9B\u5546\uFF0C\u8BF7\u5148\u5728 Web UI \u4E2D\u6DFB\u52A0 Provider\u3002");
   }
   const requestedModel = ctx.requestedModel?.trim();
-  const mappedIdentifier = requestedModel ? config.modelRoutes?.[requestedModel] ?? null : null;
+  const mappedIdentifier = requestedModel ? endpointConfig.modelRoutes?.[requestedModel] ?? null : null;
   const fallbackModelId = providers[0].defaultModel ?? providers[0].models?.[0]?.id ?? "gpt-4o";
   const tokenEstimate = estimateTokens(
     ctx.payload,
     mappedIdentifier ?? requestedModel ?? fallbackModelId
   );
   const strategy = ctx.payload;
-  const defaults = config.defaults;
+  const defaults = endpointConfig.defaults;
   if (mappedIdentifier) {
     const mapped = resolveByIdentifier(mappedIdentifier, providers);
     if (mapped) {
@@ -771,7 +824,8 @@ import fs2 from "fs";
 import os2 from "os";
 import path2 from "path";
 import sqlite3 from "sqlite3";
-var HOME_DIR2 = path2.join(os2.homedir(), ".cc-gw");
+var HOME_OVERRIDE2 = process.env.CC_GW_HOME;
+var HOME_DIR2 = path2.resolve(HOME_OVERRIDE2 ?? path2.join(os2.homedir(), ".cc-gw"));
 var DATA_DIR = path2.join(HOME_DIR2, "data");
 var DB_PATH = path2.join(DATA_DIR, "gateway.db");
 sqlite3.verbose();
@@ -840,6 +894,45 @@ async function columnExists(db, table, column) {
   const rows = await all(db, `PRAGMA table_info(${table})`);
   return rows.some((row) => row.name === column);
 }
+async function migrateDailyMetricsTable(db) {
+  const columns = await all(db, "PRAGMA table_info(daily_metrics)");
+  if (columns.length === 0)
+    return;
+  const hasEndpointColumn = columns.some((column) => column.name === "endpoint");
+  const primaryKeyColumns = columns.filter((column) => column.pk > 0);
+  const hasCompositePrimaryKey = primaryKeyColumns.length > 1;
+  if (!hasEndpointColumn || !hasCompositePrimaryKey) {
+    const endpointSelector = hasEndpointColumn ? "COALESCE(endpoint, 'anthropic')" : "'anthropic'";
+    await exec(
+      db,
+      `ALTER TABLE daily_metrics RENAME TO daily_metrics_old;
+       CREATE TABLE daily_metrics (
+         date TEXT NOT NULL,
+         endpoint TEXT NOT NULL DEFAULT 'anthropic',
+         request_count INTEGER DEFAULT 0,
+         total_input_tokens INTEGER DEFAULT 0,
+         total_output_tokens INTEGER DEFAULT 0,
+         total_latency_ms INTEGER DEFAULT 0,
+         PRIMARY KEY (date, endpoint)
+       );
+       INSERT INTO daily_metrics (date, endpoint, request_count, total_input_tokens, total_output_tokens, total_latency_ms)
+         SELECT date,
+                ${endpointSelector},
+                request_count,
+                total_input_tokens,
+                total_output_tokens,
+                total_latency_ms
+           FROM daily_metrics_old;
+       DROP TABLE daily_metrics_old;`
+    );
+  } else {
+    await run(db, "UPDATE daily_metrics SET endpoint = 'anthropic' WHERE endpoint IS NULL OR endpoint = ''");
+  }
+  await run(
+    db,
+    "CREATE UNIQUE INDEX IF NOT EXISTS idx_daily_metrics_date_endpoint ON daily_metrics(date, endpoint)"
+  );
+}
 async function maybeAddColumn(db, table, column, definition) {
   const exists = await columnExists(db, table, column);
   if (!exists) {
@@ -853,6 +946,7 @@ async function ensureSchema(db) {
       id INTEGER PRIMARY KEY AUTOINCREMENT,
       timestamp INTEGER NOT NULL,
       session_id TEXT,
+      endpoint TEXT NOT NULL DEFAULT 'anthropic',
       provider TEXT NOT NULL,
       model TEXT NOT NULL,
       client_model TEXT,
@@ -864,7 +958,10 @@ async function ensureSchema(db) {
       cached_tokens INTEGER,
       ttft_ms INTEGER,
       tpot_ms REAL,
-      error TEXT
+      error TEXT,
+      api_key_id INTEGER,
+      api_key_name TEXT,
+      api_key_value TEXT
     );
 
     CREATE TABLE IF NOT EXISTS request_payloads (
@@ -875,11 +972,43 @@ async function ensureSchema(db) {
     );
 
     CREATE TABLE IF NOT EXISTS daily_metrics (
-      date TEXT PRIMARY KEY,
+      date TEXT NOT NULL,
+      endpoint TEXT NOT NULL DEFAULT 'anthropic',
       request_count INTEGER DEFAULT 0,
       total_input_tokens INTEGER DEFAULT 0,
       total_output_tokens INTEGER DEFAULT 0,
-      total_latency_ms INTEGER DEFAULT 0
+      total_latency_ms INTEGER DEFAULT 0,
+      PRIMARY KEY (date, endpoint)
+    );
+
+    CREATE TABLE IF NOT EXISTS api_keys (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      name TEXT NOT NULL,
+      description TEXT,
+      key_hash TEXT NOT NULL UNIQUE,
+      key_ciphertext TEXT,
+      key_prefix TEXT,
+      key_suffix TEXT,
+      is_wildcard INTEGER DEFAULT 0,
+      enabled INTEGER DEFAULT 1,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER,
+      last_used_at INTEGER,
+      request_count INTEGER DEFAULT 0,
+      total_input_tokens INTEGER DEFAULT 0,
+      total_output_tokens INTEGER DEFAULT 0
+    );
+
+    CREATE TABLE IF NOT EXISTS api_key_audit_logs (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      api_key_id INTEGER,
+      api_key_name TEXT,
+      operation TEXT NOT NULL,
+      operator TEXT,
+      details TEXT,
+      ip_address TEXT,
+      created_at TEXT NOT NULL,
+      FOREIGN KEY(api_key_id) REFERENCES api_keys(id) ON DELETE SET NULL
     );`
   );
   await maybeAddColumn(db, "request_logs", "client_model", "TEXT");
@@ -887,6 +1016,36 @@ async function ensureSchema(db) {
   await maybeAddColumn(db, "request_logs", "ttft_ms", "INTEGER");
   await maybeAddColumn(db, "request_logs", "tpot_ms", "REAL");
   await maybeAddColumn(db, "request_logs", "stream", "INTEGER");
+  await maybeAddColumn(db, "request_logs", "endpoint", "TEXT DEFAULT 'anthropic'");
+  await maybeAddColumn(db, "request_logs", "api_key_id", "INTEGER");
+  await maybeAddColumn(db, "request_logs", "api_key_name", "TEXT");
+  await maybeAddColumn(db, "request_logs", "api_key_value", "TEXT");
+  const hasKeyHash = await columnExists(db, "api_keys", "key_hash");
+  if (!hasKeyHash) {
+    await run(db, "ALTER TABLE api_keys ADD COLUMN key_hash TEXT");
+  }
+  await maybeAddColumn(db, "api_keys", "key_ciphertext", "TEXT");
+  await maybeAddColumn(db, "api_keys", "key_prefix", "TEXT");
+  await maybeAddColumn(db, "api_keys", "key_suffix", "TEXT");
+  await maybeAddColumn(db, "api_keys", "updated_at", "INTEGER");
+  await maybeAddColumn(db, "api_keys", "last_used_at", "INTEGER");
+  await maybeAddColumn(db, "api_keys", "description", "TEXT");
+  await maybeAddColumn(db, "api_keys", "request_count", "INTEGER DEFAULT 0");
+  await maybeAddColumn(db, "api_keys", "total_input_tokens", "INTEGER DEFAULT 0");
+  await maybeAddColumn(db, "api_keys", "total_output_tokens", "INTEGER DEFAULT 0");
+  await migrateDailyMetricsTable(db);
+  await run(db, "CREATE UNIQUE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash) WHERE key_hash IS NOT NULL");
+  await run(db, "UPDATE api_keys SET key_hash = '*' WHERE is_wildcard = 1 AND (key_hash IS NULL OR key_hash = '')");
+  await run(db, "UPDATE api_keys SET updated_at = created_at WHERE updated_at IS NULL");
+  const wildcardRow = await get(db, "SELECT COUNT(*) as count FROM api_keys WHERE is_wildcard = 1");
+  if (!wildcardRow || wildcardRow.count === 0) {
+    const now = Date.now();
+    await run(
+      db,
+      "INSERT INTO api_keys (name, description, key_hash, is_wildcard, enabled, created_at, updated_at) VALUES (?, ?, ?, 1, 1, ?, ?)",
+      ["Any Key", null, "*", now, now]
+    );
+  }
 }
 async function getDb() {
   if (dbInstance) {
@@ -961,12 +1120,14 @@ function decompressPayload(value) {
 async function recordLog(entry) {
   const result = await runQuery(
     `INSERT INTO request_logs (
-      timestamp, session_id, provider, model, client_model, stream,
-      latency_ms, status_code, input_tokens, output_tokens, cached_tokens, error
-    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+      timestamp, session_id, endpoint, provider, model, client_model, stream,
+      latency_ms, status_code, input_tokens, output_tokens, cached_tokens, error,
+      api_key_id, api_key_name, api_key_value
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
     [
       entry.timestamp,
       entry.sessionId ?? null,
+      entry.endpoint,
       entry.provider,
       entry.model,
       entry.clientModel ?? null,
@@ -976,7 +1137,10 @@ async function recordLog(entry) {
       entry.inputTokens ?? null,
       entry.outputTokens ?? null,
       entry.cachedTokens ?? null,
-      entry.error ?? null
+      entry.error ?? null,
+      entry.apiKeyId ?? null,
+      entry.apiKeyName ?? null,
+      entry.apiKeyValue ?? null
     ]
   );
   return Number(result.lastID);
@@ -1038,17 +1202,18 @@ async function upsertLogPayload(requestId, payload) {
     [requestId, promptData, responseData]
   );
 }
-async function updateMetrics(date, delta) {
+async function updateMetrics(date, endpoint, delta) {
   await runQuery(
-    `INSERT INTO daily_metrics (date, request_count, total_input_tokens, total_output_tokens, total_latency_ms)
-     VALUES (?, ?, ?, ?, ?)
-     ON CONFLICT(date) DO UPDATE SET
+    `INSERT INTO daily_metrics (date, endpoint, request_count, total_input_tokens, total_output_tokens, total_latency_ms)
+     VALUES (?, ?, ?, ?, ?, ?)
+     ON CONFLICT(date, endpoint) DO UPDATE SET
        request_count = daily_metrics.request_count + excluded.request_count,
        total_input_tokens = daily_metrics.total_input_tokens + excluded.total_input_tokens,
        total_output_tokens = daily_metrics.total_output_tokens + excluded.total_output_tokens,
        total_latency_ms = daily_metrics.total_latency_ms + excluded.total_latency_ms`,
     [
       date,
+      endpoint,
       delta.requests,
       delta.inputTokens,
       delta.outputTokens,
@@ -1071,6 +1236,358 @@ function getActiveRequestCount() {
   return activeRequests;
 }
 
+// api-keys/service.ts
+import { randomBytes as randomBytes2, createHash } from "crypto";
+
+// security/encryption.ts
+import fs3 from "fs";
+import os3 from "os";
+import path3 from "path";
+import { randomBytes, createCipheriv, createDecipheriv } from "crypto";
+var HOME_OVERRIDE3 = process.env.CC_GW_HOME;
+var HOME_DIR3 = path3.resolve(HOME_OVERRIDE3 ?? path3.join(os3.homedir(), ".cc-gw"));
+var KEY_PATH = path3.join(HOME_DIR3, "encryption.key");
+var KEY_LENGTH = 32;
+var KEY_FILE_MODE = 384;
+var cachedKey = null;
+function writeKeyFile(buffer) {
+  fs3.mkdirSync(HOME_DIR3, { recursive: true });
+  fs3.writeFileSync(KEY_PATH, buffer.toString("base64"), { encoding: "utf8", mode: KEY_FILE_MODE });
+}
+function decodeKeyContent(content) {
+  const trimmed = content.trim();
+  if (!trimmed) {
+    return null;
+  }
+  const tryBase64 = (() => {
+    try {
+      const decoded = Buffer.from(trimmed, "base64");
+      return decoded.length === KEY_LENGTH ? decoded : null;
+    } catch {
+      return null;
+    }
+  })();
+  if (tryBase64)
+    return tryBase64;
+  if (/^[0-9a-fA-F]+$/.test(trimmed) && trimmed.length === KEY_LENGTH * 2) {
+    const decoded = Buffer.from(trimmed, "hex");
+    if (decoded.length === KEY_LENGTH) {
+      return decoded;
+    }
+  }
+  if (trimmed.length === KEY_LENGTH) {
+    const ascii = Buffer.from(trimmed, "utf8");
+    if (ascii.length === KEY_LENGTH) {
+      return ascii;
+    }
+  }
+  return null;
+}
+function ensureKeyMaterial() {
+  if (cachedKey) {
+    return cachedKey;
+  }
+  fs3.mkdirSync(HOME_DIR3, { recursive: true });
+  if (!fs3.existsSync(KEY_PATH)) {
+    const generated = randomBytes(KEY_LENGTH);
+    writeKeyFile(generated);
+    cachedKey = generated;
+    return generated;
+  }
+  const content = fs3.readFileSync(KEY_PATH, "utf8");
+  const decoded = decodeKeyContent(content);
+  if (decoded) {
+    cachedKey = decoded;
+    return decoded;
+  }
+  const regenerated = randomBytes(KEY_LENGTH);
+  writeKeyFile(regenerated);
+  cachedKey = regenerated;
+  console.info("[cc-gw][encryption] regenerated encryption key due to invalid file format");
+  return regenerated;
+}
+function encryptSecret(value) {
+  if (value === null || value === void 0) {
+    return null;
+  }
+  const key = ensureKeyMaterial();
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, encrypted]).toString("base64");
+}
+function decryptSecret(payload) {
+  if (!payload) {
+    return null;
+  }
+  try {
+    const buffer = Buffer.from(payload, "base64");
+    if (buffer.length <= 28) {
+      return null;
+    }
+    const iv = buffer.subarray(0, 12);
+    const tag = buffer.subarray(12, 28);
+    const ciphertext = buffer.subarray(28);
+    const decipher = createDecipheriv("aes-256-gcm", ensureKeyMaterial(), iv);
+    decipher.setAuthTag(tag);
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return decrypted.toString("utf8");
+  } catch (error) {
+    console.warn("[cc-gw][encryption] failed to decrypt payload", error);
+    return null;
+  }
+}
+
+// api-keys/service.ts
+var apiKeysHasUpdatedAt = null;
+async function ensureApiKeysMetadataLoaded() {
+  if (apiKeysHasUpdatedAt !== null) {
+    return;
+  }
+  const info = await getAll("PRAGMA table_info(api_keys)");
+  apiKeysHasUpdatedAt = info.some((row) => row.name === "updated_at");
+}
+function toIsoOrNull(value) {
+  if (typeof value === "number" && Number.isFinite(value) && value > 0) {
+    try {
+      return new Date(value).toISOString();
+    } catch {
+    }
+  }
+  return null;
+}
+var ApiKeyError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "ApiKeyError";
+  }
+};
+var KEY_PREFIX = "sk-ccgw-";
+function hashKey(value) {
+  return createHash("sha256").update(value).digest("hex");
+}
+function maskKey(prefix, suffix) {
+  if (!prefix && !suffix) {
+    return "********";
+  }
+  const safePrefix = prefix ?? "";
+  const safeSuffix = suffix ?? "";
+  return `${safePrefix}****${safeSuffix}`;
+}
+async function recordAuditLog(payload) {
+  const { apiKeyId = null, apiKeyName = null, operation, operator = null, details = null, ipAddress = null } = payload;
+  const serializedDetails = details ? JSON.stringify(details) : null;
+  await runQuery(
+    `INSERT INTO api_key_audit_logs (api_key_id, api_key_name, operation, operator, details, ip_address, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`,
+    [apiKeyId, apiKeyName, operation, operator, serializedDetails, ipAddress, (/* @__PURE__ */ new Date()).toISOString()]
+  );
+}
+function generateKey() {
+  const randomPart = randomBytes2(24).toString("base64url");
+  const key = `${KEY_PREFIX}${randomPart}`;
+  return {
+    key,
+    prefix: key.slice(0, 6),
+    suffix: key.slice(-4)
+  };
+}
+async function listApiKeys() {
+  const rows = await getAll("SELECT id, name, description, key_prefix, key_suffix, is_wildcard, enabled, created_at, last_used_at, request_count, total_input_tokens, total_output_tokens FROM api_keys ORDER BY is_wildcard DESC, created_at DESC");
+  return rows.map((row) => ({
+    id: row.id,
+    name: row.name,
+    description: row.description ?? null,
+    maskedKey: row.is_wildcard ? null : maskKey(row.key_prefix, row.key_suffix),
+    isWildcard: Boolean(row.is_wildcard),
+    enabled: Boolean(row.enabled),
+    createdAt: toIsoOrNull(row.created_at),
+    lastUsedAt: toIsoOrNull(row.last_used_at),
+    requestCount: row.request_count ?? 0,
+    totalInputTokens: row.total_input_tokens ?? 0,
+    totalOutputTokens: row.total_output_tokens ?? 0
+  }));
+}
+async function createApiKey(name, description, context) {
+  const trimmed = name.trim();
+  if (!trimmed) {
+    throw new Error("Name is required");
+  }
+  if (trimmed.length > 100) {
+    throw new Error("Name too long (max 100 characters)");
+  }
+  const trimmedDescription = typeof description === "string" ? description.trim() : "";
+  if (trimmedDescription.length > 500) {
+    throw new Error("Description too long (max 500 characters)");
+  }
+  await ensureApiKeysMetadataLoaded();
+  const { key, prefix, suffix } = generateKey();
+  const hashed = hashKey(key);
+  const encrypted = encryptSecret(key);
+  const now = Date.now();
+  const columns = ["name", "description", "key_hash", "key_ciphertext", "key_prefix", "key_suffix", "is_wildcard", "enabled", "created_at"];
+  const placeholders = ["?", "?", "?", "?", "?", "?", "?", "?", "?"];
+  const values = [trimmed, trimmedDescription || null, hashed, encrypted, prefix, suffix, 0, 1, now];
+  if (apiKeysHasUpdatedAt) {
+    columns.push("updated_at");
+    placeholders.push("?");
+    values.push(now);
+  }
+  const result = await runQuery(
+    `INSERT INTO api_keys (${columns.join(", ")}) VALUES (${placeholders.join(", ")})`,
+    values
+  );
+  await recordAuditLog({
+    apiKeyId: result.lastID,
+    apiKeyName: trimmed,
+    operation: "create",
+    operator: context?.operator ?? null,
+    ipAddress: context?.ipAddress ?? null
+  });
+  return {
+    id: result.lastID,
+    key,
+    name: trimmed,
+    description: trimmedDescription || null,
+    createdAt: new Date(now).toISOString()
+  };
+}
+async function setApiKeyEnabled(id, enabled, context) {
+  await ensureApiKeysMetadataLoaded();
+  const existing = await getOne("SELECT id, name, is_wildcard, enabled FROM api_keys WHERE id = ?", [id]);
+  if (!existing) {
+    throw new Error("API key not found");
+  }
+  if (apiKeysHasUpdatedAt) {
+    await runQuery("UPDATE api_keys SET enabled = ?, updated_at = ? WHERE id = ?", [enabled ? 1 : 0, Date.now(), id]);
+  } else {
+    await runQuery("UPDATE api_keys SET enabled = ? WHERE id = ?", [enabled ? 1 : 0, id]);
+  }
+  await recordAuditLog({
+    apiKeyId: existing.id,
+    apiKeyName: existing.name,
+    operation: enabled ? "enable" : "disable",
+    operator: context?.operator ?? null,
+    ipAddress: context?.ipAddress ?? null
+  });
+}
+async function deleteApiKey(id, context) {
+  const existing = await getOne("SELECT id, name, is_wildcard FROM api_keys WHERE id = ?", [id]);
+  if (!existing) {
+    throw new Error("API key not found");
+  }
+  if (existing.is_wildcard) {
+    throw new Error("Cannot delete wildcard key");
+  }
+  await runQuery("DELETE FROM api_keys WHERE id = ?", [id]);
+  await recordAuditLog({
+    apiKeyId: existing.id,
+    apiKeyName: existing.name,
+    operation: "delete",
+    operator: context?.operator ?? null,
+    ipAddress: context?.ipAddress ?? null
+  });
+}
+async function fetchWildcard() {
+  const wildcard = await getOne("SELECT id, name, enabled FROM api_keys WHERE is_wildcard = 1 LIMIT 1");
+  return wildcard ?? null;
+}
+async function resolveApiKey(providedRaw, context) {
+  const provided = providedRaw?.trim() ?? "";
+  const wildcard = await fetchWildcard();
+  if (!provided) {
+    if (wildcard && wildcard.enabled) {
+      return {
+        id: wildcard.id,
+        name: wildcard.name,
+        isWildcard: true,
+        providedKey: ""
+      };
+    }
+    await recordAuditLog({
+      operation: "auth_failure",
+      details: { reason: "missing" },
+      ipAddress: context?.ipAddress ?? null
+    });
+    throw new ApiKeyError("API key is required", "missing");
+  }
+  const hashed = hashKey(provided);
+  const existing = await getOne("SELECT id, name, enabled, is_wildcard FROM api_keys WHERE key_hash = ?", [hashed]);
+  if (existing) {
+    if (!existing.enabled) {
+      await recordAuditLog({
+        apiKeyId: existing.id,
+        apiKeyName: existing.name,
+        operation: "auth_failure",
+        details: { reason: "disabled" },
+        ipAddress: context?.ipAddress ?? null
+      });
+      throw new ApiKeyError("API key is disabled", "disabled");
+    }
+    return {
+      id: existing.id,
+      name: existing.name,
+      isWildcard: Boolean(existing.is_wildcard),
+      providedKey: provided
+    };
+  }
+  if (wildcard && wildcard.enabled) {
+    return {
+      id: wildcard.id,
+      name: wildcard.name,
+      isWildcard: true,
+      providedKey: provided
+    };
+  }
+  await recordAuditLog({
+    operation: "auth_failure",
+    details: { reason: "invalid", hash: hashed.slice(0, 16) },
+    ipAddress: context?.ipAddress ?? null
+  });
+  throw new ApiKeyError("Invalid API key provided", "invalid");
+}
+async function recordApiKeyUsage(id, delta) {
+  const now = Date.now();
+  await ensureApiKeysMetadataLoaded();
+  if (apiKeysHasUpdatedAt) {
+    await runQuery(
+      `UPDATE api_keys
+          SET last_used_at = ?,
+              request_count = COALESCE(request_count, 0) + 1,
+              total_input_tokens = COALESCE(total_input_tokens, 0) + ?,
+              total_output_tokens = COALESCE(total_output_tokens, 0) + ?,
+              updated_at = ?
+        WHERE id = ?`,
+      [now, delta.inputTokens, delta.outputTokens, now, id]
+    );
+  } else {
+    await runQuery(
+      `UPDATE api_keys
+          SET last_used_at = ?,
+              request_count = COALESCE(request_count, 0) + 1,
+              total_input_tokens = COALESCE(total_input_tokens, 0) + ?,
+              total_output_tokens = COALESCE(total_output_tokens, 0) + ?
+        WHERE id = ?`,
+      [now, delta.inputTokens, delta.outputTokens, id]
+    );
+  }
+}
+async function decryptApiKeyValue(value) {
+  return decryptSecret(value);
+}
+async function ensureWildcardMetadata() {
+  const wildcard = await fetchWildcard();
+  if (!wildcard) {
+    return;
+  }
+  await runQuery(
+    "UPDATE api_keys SET key_prefix = COALESCE(key_prefix, ?), key_suffix = COALESCE(key_suffix, ?) WHERE id = ?",
+    ["WILD", "KEY", wildcard.id]
+  );
+}
+
 // routes/messages.ts
 function mapStopReason(reason) {
   switch (reason) {
@@ -1235,12 +1752,60 @@ function buildClaudeResponse(openAI, model) {
   };
 }
 async function registerMessagesRoute(app) {
-  app.post("/v1/messages", async (request, reply) => {
+  const handler = async (request, reply) => {
     const payload = request.body;
     if (!payload || typeof payload !== "object") {
       reply.code(400);
       return { error: "Invalid request body" };
     }
+    const resolveHeaderValue = (value) => {
+      if (!value)
+        return void 0;
+      if (typeof value === "string")
+        return value;
+      if (Array.isArray(value)) {
+        const found = value.find((item) => typeof item === "string" && item.trim().length > 0);
+        return found;
+      }
+      return void 0;
+    };
+    let providedApiKey = resolveHeaderValue(request.headers["x-api-key"]);
+    if (!providedApiKey) {
+      const authHeader = resolveHeaderValue(request.headers["authorization"]);
+      if (authHeader && authHeader.toLowerCase().startsWith("bearer ")) {
+        providedApiKey = authHeader.slice(7);
+      }
+    }
+    let apiKeyContext;
+    try {
+      apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+    } catch (error) {
+      if (error instanceof ApiKeyError) {
+        reply.code(401);
+        return {
+          error: {
+            code: "invalid_api_key",
+            message: error.message
+          }
+        };
+      }
+      throw error;
+    }
+    const encryptedApiKeyValue = apiKeyContext.providedKey ? encryptSecret(apiKeyContext.providedKey) : null;
+    let usageRecorded = false;
+    const commitUsage = async (inputTokens, outputTokens) => {
+      if (usageRecorded)
+        return;
+      usageRecorded = true;
+      if (apiKeyContext.id) {
+        const safeInput = Number.isFinite(inputTokens) ? inputTokens : 0;
+        const safeOutput = Number.isFinite(outputTokens) ? outputTokens : 0;
+        await recordApiKeyUsage(apiKeyContext.id, {
+          inputTokens: safeInput,
+          outputTokens: safeOutput
+        });
+      }
+    };
     const rawUrl = typeof request.raw?.url === "string" ? request.raw.url : request.url ?? "";
     let querySuffix = null;
     if (typeof rawUrl === "string" && rawUrl.includes("?")) {
@@ -1258,14 +1823,13 @@ async function registerMessagesRoute(app) {
       requestedModel
     });
     const providerType = target.provider.type ?? "custom";
-    const modelDefinition = target.provider.models?.find((m) => m.id === target.modelId);
-    const supportsTools = modelDefinition?.capabilities?.tools === true;
+    const supportsTools = (target.provider.type ?? "custom") !== "custom";
     const supportsMetadata = providerType !== "custom";
     let normalizedForProvider = supportsTools ? normalized : stripTooling(normalized);
     if (!supportsMetadata) {
       normalizedForProvider = stripMetadata(normalizedForProvider);
     }
-    const maxTokensOverride = payload.max_tokens ?? modelDefinition?.maxTokens;
+    const maxTokensOverride = payload.max_tokens ?? void 0;
     const toolChoice = supportsTools ? payload.tool_choice : void 0;
     const overrideTools = supportsTools ? payload.tools : void 0;
     let providerBody;
@@ -1312,11 +1876,15 @@ async function registerMessagesRoute(app) {
     const storePayloads = getConfig().storePayloads !== false;
     const logId = await recordLog({
       timestamp: requestStart,
+      endpoint: "anthropic",
       provider: target.providerId,
       model: target.modelId,
       clientModel: requestedModel,
       sessionId: payload.metadata?.user_id,
-      stream: normalized.stream
+      stream: normalized.stream,
+      apiKeyId: apiKeyContext.id,
+      apiKeyName: apiKeyContext.name,
+      apiKeyValue: encryptedApiKeyValue
     });
     incrementActiveRequests();
     if (storePayloads) {
@@ -1379,6 +1947,7 @@ async function registerMessagesRoute(app) {
         if (storePayloads) {
           await upsertLogPayload(logId, { response: bodyText || null });
         }
+        await commitUsage(0, 0);
         await finalize(upstream.status, errorText);
         return { error: errorText };
       }
@@ -1408,7 +1977,8 @@ async function registerMessagesRoute(app) {
             ttftMs: latencyMs2,
             tpotMs: computeTpot(latencyMs2, outputTokens2, { streaming: false })
           });
-          await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), {
+          await commitUsage(inputTokens2, outputTokens2);
+          await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "anthropic", {
             requests: 1,
             inputTokens: inputTokens2,
             outputTokens: outputTokens2,
@@ -1453,7 +2023,8 @@ async function registerMessagesRoute(app) {
           ttftMs: latencyMs,
           tpotMs: computeTpot(latencyMs, outputTokens, { streaming: false })
         });
-        await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), {
+        await commitUsage(inputTokens, outputTokens);
+        await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "anthropic", {
           requests: 1,
           inputTokens,
           outputTokens,
@@ -1476,6 +2047,7 @@ async function registerMessagesRoute(app) {
       }
       if (!upstream.body) {
         reply.code(500);
+        await commitUsage(0, 0);
         await finalize(500, "Upstream returned empty body");
         return { error: "Upstream returned empty body" };
       }
@@ -1572,7 +2144,8 @@ async function registerMessagesRoute(app) {
             ttftMs
           })
         });
-        await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), {
+        await commitUsage(usagePrompt2, usageCompletion2);
+        await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "anthropic", {
           requests: 1,
           inputTokens: usagePrompt2,
           outputTokens: usageCompletion2,
@@ -1696,7 +2269,8 @@ data: ${JSON.stringify(data)}
                 ttftMs
               })
             });
-            await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), {
+            await commitUsage(finalPromptTokens, finalCompletionTokens);
+            await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "anthropic", {
               requests: 1,
               inputTokens: finalPromptTokens,
               outputTokens: finalCompletionTokens,
@@ -1853,7 +2427,8 @@ data: ${JSON.stringify(data)}
             ttftMs
           })
         });
-        await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), {
+        await commitUsage(fallbackPrompt, fallbackCompletion);
+        await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "anthropic", {
           requests: 1,
           inputTokens: fallbackPrompt,
           outputTokens: fallbackCompletion,
@@ -1885,6 +2460,7 @@ data: ${JSON.stringify(data)}
       if (!reply.sent) {
         reply.code(500);
       }
+      await commitUsage(0, 0);
       await finalize(reply.statusCode >= 400 ? reply.statusCode : 500, message);
       return { error: message };
     } finally {
@@ -1893,7 +2469,593 @@ data: ${JSON.stringify(data)}
         await finalize(reply.statusCode ?? 200, null);
       }
     }
-  });
+  };
+  app.post("/v1/messages", handler);
+  app.post("/anthropic/v1/messages", handler);
+}
+
+// protocol/normalize-openai.ts
+function coerceArray(value) {
+  if (value == null)
+    return [];
+  return Array.isArray(value) ? value : [value];
+}
+function extractTextFromContent(content) {
+  const textParts = [];
+  const toolResults = [];
+  const toolCalls = [];
+  const blocks = coerceArray(content);
+  for (const block of blocks) {
+    if (!block || typeof block !== "object") {
+      if (typeof block === "string") {
+        textParts.push(block);
+      }
+      continue;
+    }
+    const type = block.type ?? block.kind ?? block.role;
+    const textValue = typeof block.text === "string" ? block.text : typeof block.value === "string" ? block.value : typeof block.content === "string" ? block.content : "";
+    if (type === "text" || type === "input_text" || type === "output_text") {
+      if (textValue) {
+        textParts.push(textValue);
+      }
+      continue;
+    }
+    if (type === "tool_result" || type === "function_result") {
+      toolResults.push({
+        id: typeof block.tool_call_id === "string" ? block.tool_call_id : typeof block.id === "string" ? block.id : `tool_result_${Math.random().toString(36).slice(2)}`,
+        name: typeof block.name === "string" ? block.name : void 0,
+        content: block.result ?? block.output ?? block.content ?? textValue ?? null,
+        cacheControl: block.cache_control
+      });
+      continue;
+    }
+    if (type === "tool_use" || type === "function_call") {
+      toolCalls.push({
+        id: typeof block.id === "string" ? block.id : `tool_call_${Math.random().toString(36).slice(2)}`,
+        name: typeof block.name === "string" ? block.name : block.function?.name ? block.function.name : "tool",
+        arguments: block.arguments ?? block.input ?? block.function?.arguments ?? {},
+        cacheControl: block.cache_control
+      });
+      continue;
+    }
+  }
+  return {
+    text: textParts.join("\n"),
+    toolResults: toolResults.length > 0 ? toolResults : void 0,
+    toolCalls: toolCalls.length > 0 ? toolCalls : void 0
+  };
+}
+function mapInputToMessages(payload) {
+  const messages = [];
+  const systemParts = [];
+  const inputItems = coerceArray(payload?.input ?? payload?.messages);
+  for (const item of inputItems) {
+    if (item == null)
+      continue;
+    if (typeof item === "string") {
+      messages.push({
+        role: "user",
+        text: item
+      });
+      continue;
+    }
+    if (typeof item !== "object")
+      continue;
+    const role = item.role === "assistant" || item.role === "system" ? item.role : item.role === "developer" ? "system" : "user";
+    if (role === "system") {
+      const parts = extractTextFromContent(item.content);
+      if (parts.text) {
+        systemParts.push(parts.text);
+      }
+      continue;
+    }
+    const { text, toolResults, toolCalls } = extractTextFromContent(item.content);
+    const normalized = {
+      role: role === "assistant" ? "assistant" : "user",
+      text
+    };
+    if (role === "user" && toolResults) {
+      normalized.toolResults = toolResults;
+    }
+    if (role === "assistant") {
+      const inlineToolCalls = coerceArray(item.tool_calls);
+      if (inlineToolCalls.length > 0) {
+        normalized.toolCalls = inlineToolCalls.map((call) => ({
+          id: typeof call.id === "string" ? call.id : `tool_call_${Math.random().toString(36).slice(2)}`,
+          name: call.function?.name ?? call.name ?? "tool",
+          arguments: (() => {
+            if (typeof call.function?.arguments === "string") {
+              try {
+                return JSON.parse(call.function.arguments);
+              } catch {
+                return call.function.arguments;
+              }
+            }
+            return call.arguments ?? call.input ?? {};
+          })(),
+          cacheControl: call.cache_control
+        }));
+      } else if (toolCalls) {
+        normalized.toolCalls = toolCalls;
+      }
+    }
+    messages.push(normalized);
+  }
+  const extraInstructions = coerceArray(payload?.instructions);
+  for (const instruction of extraInstructions) {
+    if (typeof instruction === "string") {
+      if (instruction.trim().length > 0) {
+        systemParts.push(instruction.trim());
+      }
+      continue;
+    }
+    if (instruction && typeof instruction === "object") {
+      const parts = extractTextFromContent(instruction);
+      if (parts.text) {
+        systemParts.push(parts.text);
+      }
+    }
+  }
+  const system = systemParts.length > 0 ? systemParts.join("\n\n") : null;
+  return { messages, system };
+}
+function normalizeOpenAIResponsesPayload(payload) {
+  const stream = Boolean(payload?.stream);
+  const thinking = Boolean(payload?.reasoning ?? payload?.thinking);
+  const { messages, system } = mapInputToMessages(payload);
+  const toolsArray = coerceArray(payload?.tools);
+  return {
+    original: payload,
+    system,
+    messages,
+    tools: toolsArray,
+    stream,
+    thinking
+  };
+}
+
+// routes/openai.ts
+var OPENAI_DEBUG = process.env.CC_GW_DEBUG_OPENAI === "1";
+var debugLog = (...args) => {
+  if (OPENAI_DEBUG) {
+    console.info("[cc-gw][openai]", ...args);
+  }
+};
+var roundTwoDecimals2 = (value) => Math.round(value * 100) / 100;
+function computeTpot2(totalLatencyMs, outputTokens, options) {
+  if (!Number.isFinite(outputTokens) || outputTokens <= 0) {
+    return null;
+  }
+  const streaming = options?.streaming ?? false;
+  const ttftMs = options?.ttftMs ?? null;
+  const reasoningTokens = options?.reasoningTokens ?? 0;
+  const totalTokensHint = options?.totalTokens ?? null;
+  let effectiveLatency = totalLatencyMs;
+  if (streaming && ttftMs != null && totalLatencyMs > 0) {
+    const ttftRatio = ttftMs / totalLatencyMs;
+    if (reasoningTokens > 0) {
+      effectiveLatency = totalLatencyMs;
+    } else if (ttftRatio <= 0.2) {
+      effectiveLatency = Math.max(totalLatencyMs - ttftMs, totalLatencyMs * 0.2);
+    } else {
+      effectiveLatency = totalLatencyMs;
+    }
+  }
+  const raw = effectiveLatency / outputTokens;
+  return Number.isFinite(raw) ? roundTwoDecimals2(raw) : null;
+}
+function resolveCachedTokens2(usage) {
+  if (!usage || typeof usage !== "object") {
+    return null;
+  }
+  if (typeof usage.cached_tokens === "number") {
+    return usage.cached_tokens;
+  }
+  const promptDetails = usage.prompt_tokens_details;
+  if (promptDetails && typeof promptDetails.cached_tokens === "number") {
+    return promptDetails.cached_tokens;
+  }
+  const inputDetails = usage.input_tokens_details;
+  if (inputDetails && typeof inputDetails.cached_tokens === "number") {
+    return inputDetails.cached_tokens;
+  }
+  if (typeof usage.cache_read_input_tokens === "number") {
+    return usage.cache_read_input_tokens;
+  }
+  if (typeof usage.cache_creation_input_tokens === "number") {
+    return usage.cache_creation_input_tokens;
+  }
+  return null;
+}
+async function registerOpenAiRoutes(app) {
+  const handleResponses = async (request, reply) => {
+    const payload = request.body;
+    if (!payload || typeof payload !== "object") {
+      reply.code(400);
+      return { error: "Invalid request body" };
+    }
+    debugLog("incoming request", {
+      stream: Boolean(payload.stream),
+      model: payload.model,
+      hasToolChoice: Boolean(payload.tool_choice),
+      toolsCount: Array.isArray(payload.tools) ? payload.tools.length : 0
+    });
+    const resolveHeaderValue = (value) => {
+      if (!value)
+        return void 0;
+      if (typeof value === "string")
+        return value;
+      if (Array.isArray(value)) {
+        const found = value.find((item) => typeof item === "string" && item.trim().length > 0);
+        return found;
+      }
+      return void 0;
+    };
+    let providedApiKey = resolveHeaderValue(request.headers["authorization"]);
+    if (providedApiKey && providedApiKey.toLowerCase().startsWith("bearer ")) {
+      providedApiKey = providedApiKey.slice(7);
+    }
+    if (!providedApiKey) {
+      providedApiKey = resolveHeaderValue(request.headers["x-api-key"]);
+    }
+    let apiKeyContext;
+    try {
+      apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+    } catch (error) {
+      if (error instanceof ApiKeyError) {
+        reply.code(401);
+        return {
+          error: {
+            code: "invalid_api_key",
+            message: error.message
+          }
+        };
+      }
+      throw error;
+    }
+    const encryptedApiKeyValue = apiKeyContext.providedKey ? encryptSecret(apiKeyContext.providedKey) : null;
+    let usageRecorded = false;
+    const commitUsage = async (inputTokens, outputTokens) => {
+      if (usageRecorded)
+        return;
+      usageRecorded = true;
+      if (apiKeyContext.id) {
+        const safeInput = Number.isFinite(inputTokens) ? inputTokens : 0;
+        const safeOutput = Number.isFinite(outputTokens) ? outputTokens : 0;
+        await recordApiKeyUsage(apiKeyContext.id, {
+          inputTokens: safeInput,
+          outputTokens: safeOutput
+        });
+      }
+    };
+    const normalized = normalizeOpenAIResponsesPayload(payload);
+    const requestedModel = typeof payload.model === "string" ? payload.model : void 0;
+    const target = resolveRoute({
+      payload: normalized,
+      requestedModel,
+      endpoint: "openai"
+    });
+    let connector;
+    const providerType = target.provider.type ?? "openai";
+    if (providerType === "openai") {
+      connector = createOpenAIConnector(target.provider, { defaultPath: "v1/responses" });
+    } else {
+      connector = getConnector(target.providerId);
+    }
+    const requestStart = Date.now();
+    const storePayloads = getConfig().storePayloads !== false;
+    const logId = await recordLog({
+      timestamp: requestStart,
+      endpoint: "openai",
+      provider: target.providerId,
+      model: target.modelId,
+      clientModel: requestedModel,
+      sessionId: payload.metadata?.user_id ?? payload.user,
+      stream: normalized.stream,
+      apiKeyId: apiKeyContext.id,
+      apiKeyName: apiKeyContext.name,
+      apiKeyValue: encryptedApiKeyValue
+    });
+    if (storePayloads) {
+      await upsertLogPayload(logId, {
+        prompt: (() => {
+          try {
+            return JSON.stringify(payload);
+          } catch {
+            return null;
+          }
+        })()
+      });
+    }
+    incrementActiveRequests();
+    let finalized = false;
+    const finalize = async (statusCode, error) => {
+      if (finalized)
+        return;
+      await finalizeLog(logId, {
+        latencyMs: Date.now() - requestStart,
+        statusCode,
+        error,
+        clientModel: requestedModel ?? null
+      });
+      finalized = true;
+    };
+    try {
+      const providerBody = { ...payload };
+      providerBody.model = target.modelId;
+      providerBody.stream = normalized.stream;
+      if (providerBody.max_output_tokens == null && typeof providerBody.max_tokens === "number") {
+        providerBody.max_output_tokens = providerBody.max_tokens;
+      }
+      delete providerBody.max_tokens;
+      if (typeof providerBody.thinking === "boolean") {
+        delete providerBody.thinking;
+      }
+      if (typeof providerBody.reasoning === "boolean") {
+        delete providerBody.reasoning;
+      }
+      if (providerBody.tool_choice === void 0) {
+        delete providerBody.tool_choice;
+      }
+      if (providerBody.tools === void 0) {
+        delete providerBody.tools;
+      }
+      if (providerBody.response_format === void 0) {
+        delete providerBody.response_format;
+      }
+      const upstream = await connector.send({
+        model: target.modelId,
+        body: providerBody,
+        stream: normalized.stream
+      });
+      if (upstream.status >= 400) {
+        reply.code(upstream.status);
+        const bodyText = upstream.body ? await new Response(upstream.body).text() : "";
+        const errorText = bodyText || "Upstream provider error";
+        debugLog("upstream error", upstream.status, errorText.slice(0, 200));
+        if (storePayloads) {
+          await upsertLogPayload(logId, { response: bodyText || null });
+        }
+        await commitUsage(0, 0);
+        await finalize(upstream.status, errorText);
+        return { error: errorText };
+      }
+      if (!normalized.stream) {
+        const rawBody = upstream.body ? await new Response(upstream.body).text() : "";
+        if (storePayloads) {
+          await upsertLogPayload(logId, { response: rawBody });
+        }
+        let parsed = null;
+        try {
+          parsed = rawBody ? JSON.parse(rawBody) : {};
+        } catch (error) {
+          await commitUsage(0, 0);
+          await finalize(200, null);
+          reply.header("content-type", "application/json");
+          return rawBody;
+        }
+        const usagePayload = parsed?.usage ?? null;
+        const inputTokens2 = usagePayload?.input_tokens ?? usagePayload?.prompt_tokens ?? target.tokenEstimate ?? estimateTokens(normalized, target.modelId);
+        const baseOutputTokens = usagePayload?.output_tokens ?? usagePayload?.completion_tokens ?? (typeof parsed?.content === "string" ? estimateTokens(normalized, target.modelId) : 0);
+        const reasoningTokens2 = (() => {
+          const details = usagePayload?.completion_tokens_details;
+          if (details && typeof details.reasoning_tokens === "number") {
+            return details.reasoning_tokens;
+          }
+          if (typeof usagePayload?.reasoning_tokens === "number") {
+            return usagePayload.reasoning_tokens;
+          }
+          return 0;
+        })();
+        const outputTokens2 = baseOutputTokens + reasoningTokens2;
+        const cachedTokens = resolveCachedTokens2(usagePayload);
+        const latencyMs2 = Date.now() - requestStart;
+        await updateLogTokens(logId, {
+          inputTokens: inputTokens2,
+          outputTokens: outputTokens2,
+          cachedTokens,
+          ttftMs: usagePayload?.first_token_latency_ms ?? latencyMs2,
+          tpotMs: usagePayload?.tokens_per_second ? computeTpot2(latencyMs2, outputTokens2, { streaming: false, reasoningTokens: reasoningTokens2 }) : null
+        });
+        await commitUsage(inputTokens2, outputTokens2);
+        await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "openai", {
+          requests: 1,
+          inputTokens: inputTokens2,
+          outputTokens: outputTokens2,
+          latencyMs: latencyMs2
+        });
+        await finalize(200, null);
+        reply.header("content-type", "application/json");
+        return parsed ?? {};
+      }
+      if (!upstream.body) {
+        reply.code(500);
+        await commitUsage(0, 0);
+        await finalize(500, "Upstream returned empty body");
+        return { error: "Upstream returned empty body" };
+      }
+      reply.raw.setHeader("content-type", "text/event-stream; charset=utf-8");
+      reply.raw.setHeader("cache-control", "no-cache, no-transform");
+      reply.raw.setHeader("connection", "keep-alive");
+      reply.raw.setHeader("x-accel-buffering", "no");
+      if (typeof reply.raw.writeHead === "function") {
+        reply.raw.writeHead(200);
+      }
+      if (typeof reply.raw.flushHeaders === "function") {
+        ;
+        reply.raw.flushHeaders();
+      }
+      const reader = upstream.body.getReader();
+      const decoder = new TextDecoder();
+      let buffer = "";
+      let usagePrompt = null;
+      let usageCompletion = null;
+      let usageReasoning = null;
+      let usageCached = null;
+      let firstTokenAt = null;
+      let chunkCount = 0;
+      const capturedResponseChunks = storePayloads ? [] : null;
+      const replyClosed = () => {
+        debugLog("client connection closed before completion");
+      };
+      reply.raw.once("close", replyClosed);
+      try {
+        const selectMax = (candidates, current) => candidates.reduce((max, value) => {
+          if (typeof value === "number" && Number.isFinite(value) && value >= 0) {
+            return max == null || value > max ? value : max;
+          }
+          return max;
+        }, current);
+        const applyUsagePayload = (usagePayload) => {
+          usagePrompt = selectMax(
+            [
+              typeof usagePayload.prompt_tokens === "number" ? usagePayload.prompt_tokens : null,
+              typeof usagePayload.input_tokens === "number" ? usagePayload.input_tokens : null,
+              typeof usagePayload.total_tokens === "number" && typeof usagePayload.completion_tokens === "number" ? usagePayload.total_tokens - usagePayload.completion_tokens : null
+            ],
+            usagePrompt
+          );
+          const reasoningTokens2 = typeof usagePayload?.completion_tokens_details?.reasoning_tokens === "number" ? usagePayload.completion_tokens_details.reasoning_tokens : typeof usagePayload.reasoning_tokens === "number" ? usagePayload.reasoning_tokens : null;
+          usageCompletion = selectMax(
+            [
+              typeof usagePayload.output_tokens === "number" ? usagePayload.output_tokens : null,
+              typeof usagePayload.completion_tokens === "number" ? usagePayload.completion_tokens : null,
+              typeof usagePayload.response_tokens === "number" ? usagePayload.response_tokens : null,
+              typeof usagePayload.total_tokens === "number" && typeof usagePrompt === "number" ? usagePayload.total_tokens - usagePrompt : null,
+              reasoningTokens2
+            ],
+            usageCompletion
+          );
+          usageReasoning = selectMax(
+            [reasoningTokens2],
+            usageReasoning
+          );
+          if (usageCached == null) {
+            usageCached = resolveCachedTokens2(usagePayload);
+          }
+          if (OPENAI_DEBUG) {
+            debugLog("usage payload received", usagePayload);
+          }
+        };
+        while (true) {
+          const { value, done } = await reader.read();
+          if (value && !firstTokenAt) {
+            firstTokenAt = Date.now();
+          }
+          if (value) {
+            const chunk = decoder.decode(value, { stream: !done });
+            if (OPENAI_DEBUG) {
+              debugLog("sse chunk", chunk.length > 200 ? `${chunk.slice(0, 200)}\u2026` : chunk);
+            }
+            buffer += chunk;
+            chunkCount += 1;
+            reply.raw.write(chunk);
+            if (capturedResponseChunks) {
+              capturedResponseChunks.push(chunk);
+            }
+            while (true) {
+              const newlineIndex = buffer.indexOf("\n");
+              if (newlineIndex === -1)
+                break;
+              const line = buffer.slice(0, newlineIndex);
+              buffer = buffer.slice(newlineIndex + 1);
+              const trimmed = line.trim();
+              if (!trimmed.startsWith("data:"))
+                continue;
+              const dataStr = trimmed.slice(5).trim();
+              if (dataStr === "[DONE]") {
+                if (OPENAI_DEBUG) {
+                  debugLog("done marker received");
+                }
+                continue;
+              }
+              try {
+                const parsed = JSON.parse(dataStr);
+                const usagePayload = parsed?.usage || parsed?.response?.usage || null;
+                if (usagePayload) {
+                  applyUsagePayload(usagePayload);
+                }
+              } catch (parseError) {
+                if (OPENAI_DEBUG) {
+                  debugLog("failed to parse SSE data line (possibly incomplete):", dataStr.slice(0, 100));
+                }
+              }
+            }
+          }
+          if (done) {
+            if (buffer.length > 0) {
+              const trimmed = buffer.trim();
+              if (trimmed.startsWith("data:")) {
+                const dataStr = trimmed.slice(5).trim();
+                if (dataStr !== "[DONE]") {
+                  try {
+                    const parsed = JSON.parse(dataStr);
+                    const usagePayload = parsed?.usage || parsed?.response?.usage || null;
+                    if (usagePayload) {
+                      applyUsagePayload(usagePayload);
+                    }
+                  } catch {
+                  }
+                }
+              }
+            }
+            break;
+          }
+        }
+      } finally {
+        reply.raw.end();
+        reply.raw.removeListener("close", replyClosed);
+        debugLog("stream finished", { chunkCount, usagePrompt, usageCompletion, usageReasoning, usageCached });
+        if (capturedResponseChunks && capturedResponseChunks.length > 0) {
+          try {
+            await upsertLogPayload(logId, { response: capturedResponseChunks.join("") });
+          } catch (error) {
+            debugLog("failed to persist streamed payload", error);
+          }
+        }
+      }
+      const latencyMs = Date.now() - requestStart;
+      const inputTokens = usagePrompt ?? usageCompletion ?? target.tokenEstimate ?? estimateTokens(normalized, target.modelId);
+      const textOutputTokens = usageCompletion ?? 0;
+      const reasoningTokens = usageReasoning ?? 0;
+      const outputTokens = textOutputTokens + reasoningTokens;
+      await updateLogTokens(logId, {
+        inputTokens,
+        outputTokens,
+        cachedTokens: usageCached,
+        ttftMs: firstTokenAt ? firstTokenAt - requestStart : null,
+        tpotMs: computeTpot2(latencyMs, outputTokens, {
+          streaming: true,
+          ttftMs: firstTokenAt ? firstTokenAt - requestStart : null,
+          reasoningTokens
+        })
+      });
+      await commitUsage(inputTokens, outputTokens);
+      await updateMetrics((/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "openai", {
+        requests: 1,
+        inputTokens,
+        outputTokens,
+        latencyMs
+      });
+      await finalize(200, null);
+      return reply;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unexpected error";
+      if (!reply.sent) {
+        reply.code(500);
+      }
+      await commitUsage(0, 0);
+      await finalize(reply.statusCode >= 400 ? reply.statusCode : 500, message);
+      return { error: message };
+    } finally {
+      decrementActiveRequests();
+      if (!finalized && reply.sent) {
+        await finalize(reply.statusCode ?? 200, null);
+      }
+    }
+  };
+  app.post("/openai/v1/responses", handleResponses);
+  app.post("/openai/responses", handleResponses);
 }
 
 // logging/queries.ts
@@ -1906,6 +3068,10 @@ async function queryLogs(options = {}) {
     conditions.push("provider = $provider");
     params.$provider = options.provider;
   }
+  if (options.endpoint) {
+    conditions.push("endpoint = $endpoint");
+    params.$endpoint = options.endpoint;
+  }
   if (options.model) {
     conditions.push("model = $model");
     params.$model = options.model;
@@ -1923,15 +3089,24 @@ async function queryLogs(options = {}) {
     conditions.push("timestamp <= $to");
     params.$to = options.to;
   }
+  if (options.apiKeyIds && options.apiKeyIds.length > 0) {
+    const placeholders = [];
+    options.apiKeyIds.forEach((id, index) => {
+      const key = `$apiKey${index}`;
+      placeholders.push(key);
+      params[key] = id;
+    });
+    conditions.push(`(api_key_id IN (${placeholders.join(", ")}))`);
+  }
   const whereClause = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
   const totalRow = await getOne(
     `SELECT COUNT(*) AS count FROM request_logs ${whereClause}`,
     params
   );
   const items = await getAll(
-    `SELECT id, timestamp, session_id, provider, model, client_model,
+    `SELECT id, timestamp, session_id, endpoint, provider, model, client_model,
             stream, latency_ms, status_code, input_tokens, output_tokens,
-            cached_tokens, ttft_ms, tpot_ms, error
+            cached_tokens, ttft_ms, tpot_ms, error, api_key_id, api_key_name, api_key_value
        FROM request_logs
        ${whereClause}
        ORDER BY timestamp DESC
@@ -1945,9 +3120,9 @@ async function queryLogs(options = {}) {
 }
 async function getLogDetail(id) {
   const record = await getOne(
-    `SELECT id, timestamp, session_id, provider, model, client_model,
+    `SELECT id, timestamp, session_id, endpoint, provider, model, client_model,
             stream, latency_ms, status_code, input_tokens, output_tokens,
-            cached_tokens, ttft_ms, tpot_ms, error
+            cached_tokens, ttft_ms, tpot_ms, error, api_key_id, api_key_name, api_key_value
        FROM request_logs
        WHERE id = ?`,
     [id]
@@ -1979,7 +3154,12 @@ async function clearAllLogs() {
     metrics: Number(metricsResult.changes ?? 0)
   };
 }
-async function getDailyMetrics(days = 7) {
+async function getDailyMetrics(days = 7, endpoint) {
+  const params = [days];
+  const whereClause = endpoint ? "WHERE endpoint = ?" : "";
+  if (endpoint) {
+    params.unshift(endpoint);
+  }
   const rows = await getAll(
     `SELECT date,
             request_count AS requestCount,
@@ -1987,9 +3167,10 @@ async function getDailyMetrics(days = 7) {
             total_output_tokens AS outputTokens,
             total_latency_ms AS totalLatency
        FROM daily_metrics
+       ${whereClause}
        ORDER BY date DESC
        LIMIT ?`,
-    [days]
+    params
   );
   return rows.map((row) => ({
     date: row.date,
@@ -1999,14 +3180,17 @@ async function getDailyMetrics(days = 7) {
     avgLatencyMs: row.requestCount ? Math.round((row.totalLatency ?? 0) / row.requestCount) : 0
   })).reverse();
 }
-async function getMetricsOverview() {
+async function getMetricsOverview(endpoint) {
+  const totalsWhere = endpoint ? "WHERE endpoint = ?" : "";
   const totalsRow = await getOne(
     `SELECT
        COALESCE(SUM(request_count), 0) AS requests,
        COALESCE(SUM(total_input_tokens), 0) AS inputTokens,
        COALESCE(SUM(total_output_tokens), 0) AS outputTokens,
        COALESCE(SUM(total_latency_ms), 0) AS totalLatency
-     FROM daily_metrics`
+     FROM daily_metrics
+     ${totalsWhere}`,
+    endpoint ? [endpoint] : []
   );
   const todayKey = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
   const todayRow = await getOne(
@@ -2015,8 +3199,9 @@ async function getMetricsOverview() {
             total_output_tokens AS outputTokens,
             total_latency_ms AS totalLatency
        FROM daily_metrics
-       WHERE date = ?`,
-    [todayKey]
+       WHERE date = ?
+         ${endpoint ? "AND endpoint = ?" : ""}`,
+    endpoint ? [todayKey, endpoint] : [todayKey]
   );
   const resolveAvg = (totalLatency, requests) => requests > 0 ? Math.round(totalLatency / requests) : 0;
   const totalsRequests = totalsRow?.requests ?? 0;
@@ -2038,8 +3223,13 @@ async function getMetricsOverview() {
     }
   };
 }
-async function getModelUsageMetrics(days = 7, limit = 10) {
+async function getModelUsageMetrics(days = 7, limit = 10, endpoint) {
   const since = Date.now() - days * 24 * 60 * 60 * 1e3;
+  const params = [since];
+  const endpointClause = endpoint ? "AND endpoint = ?" : "";
+  if (endpoint) {
+    params.push(endpoint);
+  }
   const rows = await getAll(
     `SELECT
        model,
@@ -2052,10 +3242,11 @@ async function getModelUsageMetrics(days = 7, limit = 10) {
        AVG(CASE WHEN tpot_ms IS NULL THEN NULL ELSE tpot_ms END) AS avgTpotMs
      FROM request_logs
      WHERE timestamp >= ?
+       ${endpointClause}
      GROUP BY provider, model
      ORDER BY requests DESC
      LIMIT ?`,
-    [since, limit]
+    [...params, limit]
   );
   const roundValue = (value, fractionDigits = 0) => value == null ? null : Number(value.toFixed(fractionDigits));
   return rows.map((row) => ({
@@ -2069,13 +3260,81 @@ async function getModelUsageMetrics(days = 7, limit = 10) {
     avgTpotMs: roundValue(row.avgTpotMs, 2)
   }));
 }
+async function getApiKeyOverviewMetrics(rangeDays = 7, endpoint) {
+  const totals = await getOne("SELECT COUNT(*) AS total, SUM(CASE WHEN enabled = 1 THEN 1 ELSE 0 END) AS enabled FROM api_keys");
+  const since = Date.now() - rangeDays * 24 * 60 * 60 * 1e3;
+  const params = [since];
+  const endpointClause = endpoint ? "AND endpoint = ?" : "";
+  if (endpoint) {
+    params.push(endpoint);
+  }
+  const active = await getOne(
+    `SELECT COUNT(DISTINCT api_key_id) AS count
+       FROM request_logs
+      WHERE api_key_id IS NOT NULL
+        AND timestamp >= ?
+        ${endpointClause}`,
+    params
+  );
+  return {
+    totalKeys: totals?.total ?? 0,
+    enabledKeys: totals?.enabled ?? 0,
+    activeKeys: active?.count ?? 0,
+    rangeDays
+  };
+}
+async function getApiKeyUsageMetrics(days = 7, limit = 10, endpoint) {
+  const since = Date.now() - days * 24 * 60 * 60 * 1e3;
+  const params = [since];
+  const endpointClause = endpoint ? "AND endpoint = ?" : "";
+  if (endpoint) {
+    params.push(endpoint);
+  }
+  const rows = await getAll(
+    `SELECT
+       api_key_id AS apiKeyId,
+       api_key_name AS apiKeyName,
+       COUNT(*) AS requests,
+       COALESCE(SUM(input_tokens), 0) AS inputTokens,
+       COALESCE(SUM(output_tokens), 0) AS outputTokens,
+       MAX(timestamp) AS lastUsedAt
+     FROM request_logs
+     WHERE timestamp >= ?
+       ${endpointClause}
+     GROUP BY api_key_id, api_key_name
+     ORDER BY requests DESC
+     LIMIT ?`,
+    [...params, limit]
+  );
+  return rows.map((row) => ({
+    apiKeyId: row.apiKeyId ?? null,
+    apiKeyName: row.apiKeyName ?? null,
+    requests: row.requests ?? 0,
+    inputTokens: row.inputTokens ?? 0,
+    outputTokens: row.outputTokens ?? 0,
+    lastUsedAt: row.lastUsedAt ? new Date(row.lastUsedAt).toISOString() : null
+  }));
+}
 
 // routes/admin.ts
 async function registerAdminRoutes(app) {
-  const mapLogRecord = (record) => ({
-    ...record,
-    stream: Boolean(record?.stream)
-  });
+  try {
+    await ensureWildcardMetadata();
+  } catch (error) {
+    app.log.warn({ error }, "[api-keys] failed to ensure wildcard metadata");
+  }
+  const mapLogRecord = (record, options) => {
+    const base = {
+      ...record,
+      stream: Boolean(record?.stream)
+    };
+    if (options?.includeKeyValue) {
+      base.api_key_value = options.decryptedKey ?? record?.api_key_value ?? null;
+    } else {
+      delete base.api_key_value;
+    }
+    return base;
+  };
   app.get("/api/status", async () => {
     const config = getConfig();
     return {
@@ -2144,12 +3403,12 @@ async function registerAdminRoutes(app) {
       system: "You are a connection diagnostic assistant."
     });
     const providerBody = provider.type === "anthropic" ? buildAnthropicBody(testPayload, {
-      maxTokens: provider.models?.find((m) => m.id === targetModel)?.maxTokens ?? 256,
+      maxTokens: 256,
       temperature: 0,
       toolChoice: void 0,
       overrideTools: void 0
     }) : buildProviderBody(testPayload, {
-      maxTokens: provider.models?.find((m) => m.id === targetModel)?.maxTokens ?? 256,
+      maxTokens: 256,
       temperature: 0,
       toolChoice: void 0,
       overrideTools: void 0
@@ -2176,6 +3435,16 @@ async function registerAdminRoutes(app) {
       try {
         parsed = raw ? JSON.parse(raw) : null;
       } catch {
+        const fallbackSample = raw?.trim() ?? "";
+        if (provider.type && provider.type !== "anthropic") {
+          return {
+            ok: fallbackSample.length > 0,
+            status: upstream.status,
+            statusText: fallbackSample ? "OK (text response)" : "Empty response",
+            durationMs: duration,
+            sample: fallbackSample ? fallbackSample.slice(0, 200) : null
+          };
+        }
         return {
           ok: false,
           status: upstream.status,
@@ -2226,6 +3495,7 @@ async function registerAdminRoutes(app) {
     const model = typeof query.model === "string" && query.model.length > 0 ? query.model : void 0;
     const statusParam = typeof query.status === "string" ? query.status : void 0;
     const status = statusParam === "success" || statusParam === "error" ? statusParam : void 0;
+    const endpoint = isEndpoint(query.endpoint) ? query.endpoint : void 0;
     const parseTime = (value) => {
       if (!value)
         return void 0;
@@ -2237,9 +3507,22 @@ async function registerAdminRoutes(app) {
     };
     const from = parseTime(query.from);
     const to = parseTime(query.to);
-    const { items, total } = await queryLogs({ limit, offset, provider, model, status, from, to });
+    const collectApiKeyIds = (value) => {
+      if (!value)
+        return [];
+      if (Array.isArray(value)) {
+        return value.flatMap((item) => collectApiKeyIds(item));
+      }
+      if (typeof value === "string") {
+        return value.split(",").map((part) => Number(part.trim())).filter((num) => Number.isFinite(num));
+      }
+      return [];
+    };
+    const apiKeyIdsRaw = collectApiKeyIds(query.apiKeys ?? query.apiKeyIds ?? query.apiKey);
+    const apiKeyIds = apiKeyIdsRaw.length > 0 ? Array.from(new Set(apiKeyIdsRaw)) : void 0;
+    const { items, total } = await queryLogs({ limit, offset, provider, model, status, from, to, apiKeyIds, endpoint });
     reply.header("x-total-count", String(total));
-    return { total, items: items.map(mapLogRecord) };
+    return { total, items: items.map((item) => mapLogRecord(item)) };
   });
   app.get("/api/logs/:id", async (request, reply) => {
     const id = Number(request.params.id);
@@ -2253,7 +3536,8 @@ async function registerAdminRoutes(app) {
       return { error: "Not found" };
     }
     const payload = await getLogPayload(id);
-    return { ...mapLogRecord(record), payload };
+    const decryptedKey = await decryptApiKeyValue(record.api_key_value);
+    return { ...mapLogRecord(record, { includeKeyValue: true, decryptedKey }), payload };
   });
   app.post("/api/logs/cleanup", async () => {
     const config = getConfig();
@@ -2277,14 +3561,17 @@ async function registerAdminRoutes(app) {
       sizeBytes: pageCount * pageSize
     };
   });
-  app.get("/api/stats/overview", async () => {
-    return getMetricsOverview();
+  app.get("/api/stats/overview", async (request) => {
+    const query = request.query ?? {};
+    const endpoint = isEndpoint(query.endpoint) ? query.endpoint : void 0;
+    return getMetricsOverview(endpoint);
   });
   app.get("/api/stats/daily", async (request) => {
     const query = request.query ?? {};
     const daysRaw = Number(query.days ?? 7);
     const days = Number.isFinite(daysRaw) ? Math.max(1, Math.min(daysRaw, 30)) : 7;
-    return getDailyMetrics(days);
+    const endpoint = isEndpoint(query.endpoint) ? query.endpoint : void 0;
+    return getDailyMetrics(days, endpoint);
   });
   app.get("/api/stats/model", async (request) => {
     const query = request.query ?? {};
@@ -2292,9 +3579,86 @@ async function registerAdminRoutes(app) {
     const limitRaw = Number(query.limit ?? 10);
     const days = Number.isFinite(daysRaw) ? Math.max(1, Math.min(daysRaw, 90)) : 7;
     const limit = Number.isFinite(limitRaw) ? Math.max(1, Math.min(limitRaw, 50)) : 10;
-    return getModelUsageMetrics(days, limit);
+    const endpoint = isEndpoint(query.endpoint) ? query.endpoint : void 0;
+    return getModelUsageMetrics(days, limit, endpoint);
+  });
+  app.get("/api/stats/api-keys/overview", async (request) => {
+    const query = request.query ?? {};
+    const daysRaw = Number(query.days ?? 7);
+    const rangeDays = Number.isFinite(daysRaw) ? Math.max(1, Math.min(daysRaw, 90)) : 7;
+    const endpoint = isEndpoint(query.endpoint) ? query.endpoint : void 0;
+    return getApiKeyOverviewMetrics(rangeDays, endpoint);
+  });
+  app.get("/api/stats/api-keys/usage", async (request) => {
+    const query = request.query ?? {};
+    const daysRaw = Number(query.days ?? 7);
+    const limitRaw = Number(query.limit ?? 10);
+    const days = Number.isFinite(daysRaw) ? Math.max(1, Math.min(daysRaw, 90)) : 7;
+    const limit = Number.isFinite(limitRaw) ? Math.max(1, Math.min(limitRaw, 50)) : 10;
+    const endpoint = isEndpoint(query.endpoint) ? query.endpoint : void 0;
+    return getApiKeyUsageMetrics(days, limit, endpoint);
+  });
+  app.get("/api/keys", async () => {
+    return listApiKeys();
+  });
+  app.post("/api/keys", async (request, reply) => {
+    const body = request.body;
+    if (!body?.name || typeof body.name !== "string") {
+      reply.code(400);
+      return { error: "Name is required" };
+    }
+    try {
+      return await createApiKey(body.name, body.description, { ipAddress: request.ip });
+    } catch (error) {
+      reply.code(400);
+      return { error: error instanceof Error ? error.message : "Failed to create API key" };
+    }
+  });
+  app.patch("/api/keys/:id", async (request, reply) => {
+    const id = Number(request.params.id);
+    if (!Number.isFinite(id)) {
+      reply.code(400);
+      return { error: "Invalid id" };
+    }
+    const body = request.body;
+    if (typeof body?.enabled !== "boolean") {
+      reply.code(400);
+      return { error: "enabled field is required" };
+    }
+    try {
+      await setApiKeyEnabled(id, body.enabled, { ipAddress: request.ip });
+      return { success: true };
+    } catch (error) {
+      if (error instanceof Error && error.message === "API key not found") {
+        reply.code(404);
+      } else {
+        reply.code(400);
+      }
+      return { error: error instanceof Error ? error.message : "Failed to update API key" };
+    }
+  });
+  app.delete("/api/keys/:id", async (request, reply) => {
+    const id = Number(request.params.id);
+    if (!Number.isFinite(id)) {
+      reply.code(400);
+      return { error: "Invalid id" };
+    }
+    try {
+      await deleteApiKey(id, { ipAddress: request.ip });
+      return { success: true };
+    } catch (error) {
+      if (error instanceof Error && error.message === "API key not found") {
+        reply.code(404);
+      } else if (error instanceof Error && error.message === "Cannot delete wildcard key") {
+        reply.code(403);
+      } else {
+        reply.code(400);
+      }
+      return { error: error instanceof Error ? error.message : "Failed to delete API key" };
+    }
   });
 }
+var isEndpoint = (value) => value === "anthropic" || value === "openai";
 
 // tasks/maintenance.ts
 var DAY_MS = 24 * 60 * 60 * 1e3;
@@ -2330,17 +3694,17 @@ onConfigChange((config) => {
 });
 function resolveWebDist() {
   const __filename2 = fileURLToPath(import.meta.url);
-  const __dirname = path3.dirname(__filename2);
+  const __dirname = path4.dirname(__filename2);
   const candidates = [
     process2.env.CC_GW_UI_ROOT,
-    path3.resolve(__dirname, "../web/public"),
-    path3.resolve(__dirname, "../web/dist"),
-    path3.resolve(__dirname, "../../web/dist"),
-    path3.resolve(__dirname, "../../../src/web/dist"),
-    path3.resolve(process2.cwd(), "src/web/dist")
+    path4.resolve(__dirname, "../web/public"),
+    path4.resolve(__dirname, "../web/dist"),
+    path4.resolve(__dirname, "../../web/dist"),
+    path4.resolve(__dirname, "../../../src/web/dist"),
+    path4.resolve(process2.cwd(), "src/web/dist")
   ].filter((item) => Boolean(item));
   for (const candidate of candidates) {
-    if (fs3.existsSync(candidate)) {
+    if (fs4.existsSync(candidate)) {
       return candidate;
     }
   }
@@ -2348,12 +3712,49 @@ function resolveWebDist() {
 }
 async function createServer() {
   const config = cachedConfig2 ?? loadConfig();
+  const requestLogEnabled = config.requestLogging !== false;
+  const responseLogEnabled = config.responseLogging !== false;
   const app = Fastify({
     logger: {
       level: config.logLevel ?? "info"
     },
-    disableRequestLogging: config.requestLogging === false
+    disableRequestLogging: true
   });
+  if (requestLogEnabled) {
+    app.addHook("onRequest", (request, _reply, done) => {
+      const socket = request.socket;
+      const hostname = typeof request.hostname === "string" && request.hostname.length > 0 ? request.hostname : typeof request.headers.host === "string" ? request.headers.host : void 0;
+      app.log.info(
+        {
+          reqId: request.id,
+          req: {
+            method: request.method,
+            url: request.url,
+            hostname,
+            remoteAddress: request.ip,
+            remotePort: socket && typeof socket.remotePort === "number" ? socket.remotePort : void 0
+          }
+        },
+        "incoming request"
+      );
+      done();
+    });
+  }
+  if (responseLogEnabled) {
+    app.addHook("onResponse", (request, reply, done) => {
+      app.log.info(
+        {
+          reqId: request.id,
+          res: {
+            statusCode: reply.statusCode
+          },
+          responseTime: typeof reply.getResponseTime === "function" ? reply.getResponseTime() : void 0
+        },
+        "request completed"
+      );
+      done();
+    });
+  }
   await app.register(fastifyCors, {
     origin: true,
     credentials: true
@@ -2373,7 +3774,7 @@ async function createServer() {
         reply.code(400);
         return { error: "Invalid asset path" };
       }
-      return reply.sendFile(path3.join("assets", target));
+      return reply.sendFile(path4.join("assets", target));
     };
     app.get("/assets/*", assetHandler);
     app.head("/assets/*", assetHandler);
@@ -2392,6 +3793,7 @@ async function createServer() {
     app.log.warn("\u672A\u627E\u5230 Web UI \u6784\u5EFA\u4EA7\u7269\uFF0C/ui \u76EE\u5F55\u5C06\u4E0D\u53EF\u7528\u3002");
   }
   await registerMessagesRoute(app);
+  await registerOpenAiRoutes(app);
   await registerAdminRoutes(app);
   startMaintenanceTimers();
   app.get("/health", async () => {
@@ -2434,7 +3836,7 @@ async function main() {
   }
 }
 var __filename = fileURLToPath(import.meta.url);
-if (process2.argv[1] && path3.resolve(process2.argv[1]) === __filename) {
+if (process2.argv[1] && path4.resolve(process2.argv[1]) === __filename) {
   main();
 }
 export {